Jenkins CLI Arbitrary File Leak via args4j Argument Resolution Vulnerability
An arbitrary file leak (restricted read) in Jenkins that can be used to leak sensitive information in some scenarios. Ultimately the vulnerability comes from Jenkins’ use of args4j, a small but well known Java library for parsing command line arguments. One of the features of args4j is abusable, as it can take any arguments that are prefixed with @
and treat the argument as a path, and resolve the file contents in that path as the argument. By invoking the Jenkins CLI tool and getting file contents echoed in arguments for enable-job
, connect-node
, or help
, an error message complaining about too many arguments can echo out some of the file contents.
This can be reached via jenkins-cli
directly or by sending a POST request to the /cli
endpoint. Exploiting these vulns though would require an attacker to have access to the Jenkins CLI. They call out configurations that allow anonymous registration and anonymous read permission as particularly susceptible to this bug.